Tag: DOJ

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance For Business Ventures – Why engage in pre-acquisition due diligence? The Business Perspective

Why should a company engage in pre-acquisition due diligence in the M&A context? In this episode, I am joined by Affiliated Monitors founder Vin DiCianni to explore the business reasons for engaging in what may be seen as a compliance exercise.

Financial, legal, or reputational risk can have a significant impact the valuation or a transaction or its desirability. Factors such as current or historical bribery/corruption discovered at any point in the acquiring company provide the compliance practitioner with strong ammunition when confronted with a management that fails to understand the need for a robust due diligence in a M&A transaction. By not focusing on the regulatory aspects of M&A transactions, but more on the market reasons for engaging in the appropriate due diligence, you can emphasize the business reasons for compliance.
Three key takeaways:

  1. There are numerous legal and business reason to engage in anti-corruption due diligence in the M&A space.
  2. ESG can present significant corruption risks in emerging markets.
  3. Present your analysis in high, medium and low risk formats.
Categories
Blog

The Week That Was in Compliance – The ECCP: Part 3 – Messaging Apps

In addition to the speeches presented at the ABA’s 38th Annual National Institute on White Collar Crime, by Deputy Attorney General Lisa Monaco (2023 Monaco Speech) and Assistant Attorney General Kenneth A. Polite (Polite Speech); there was the release of the 2023 U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs (ECCP). Today we review another new addition to the ECCP, dealing with messaging apps.

There is not much which seems to excise the regulators in the compliance space as much as messaging apps. The Securities and Exchange Commission (SEC) has brought multiple and very large enforcement actions against regulated industries around their allowing employees to use messaging apps with no corporate oversight. The Department of Justice (DOJ) has been talking about messaging apps for over two years and now incorporated its guidance into the ECCP.

The ECCP opened this section by noting, “Messaging applications have become ubiquitous in many markets and offer important platforms for companies to achieve growth and facilitate communication.” For any company under investigation or in a Foreign Corrupt Practices Act (FCPA) enforcement action, the DOJ will evaluate its “policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct and violations of law…governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications.” Off the shelf policies will not be sufficient as the company’s management of messaging apps “should be tailored to the corporation’s risk profile and specific business needs.” Not surprisingly the DOJ is also concerned about storage, access and even backups, requiring that “business-related electronic data and communications are accessible and amenable to preservation by the company.” Training and communication of these policies and procedures will also be evaluated and “whether the corporation has enforced the policies and procedures on a regular and consistent basis in practice.”

The Messaging Apps

Under the section entitled “Communication Channels”, the DOJ poses a series of questions that every compliance program must answer. These questions include:

  • What electronic communication channels does the company and its employees use, or allow to be used, to conduct business?
  • How does that practice vary by jurisdiction and business function, and why?
  • What mechanisms has the company put in place to manage and preserve information contained within each of the electronic communication channels?
  • What preservation or deletion settings are available to each employee under each communication channel, and what do the company’s policies require with respect to each?
  • What is the rationale for the company’s approach to determining which communication channels and settings are permitted?

Under this section, compliance must delineate which messaging apps a company uses and why. Is it consistent or does it vary country by country? What mechanism has your organization put in place to manage this risk? Finally, how are the communications preserved and what is your rationale for your system?

Policies and Procedures

Under the section entitled “Policy Environment”, the DOJ poses a series of questions that every compliance program must answer. These questions include:

  • What policies and procedures are in place to ensure that communications and other data is preserved from devices that are replaced?
  • What are the relevant code of conduct, privacy, security, and employment laws or policies that govern the organization’s ability to ensure security or monitor/access business-related communications?
  • If the company has a “bring your own device” (BYOD) program, what are its policies governing preservation of and access to corporate data and communications stored on personal devices—including data contained within messaging platforms—and what is the rationale behind those policies?
  • How have the company’s data retention and business conduct policies been applied and enforced with respect to personal devices and messaging applications?
  • Do the organization’s policies permit the company to review business communications on BYOD and/or messaging applications?
  • What exceptions or limitations to these policies have been permitted by the organization? If the company has a policy regarding whether employees should transfer messages, data, and information from private phones or messaging applications onto company record-keeping systems in order to preserve and retain them, is it being followed in practice, and how is it enforced?

This section presents several areas a compliance professional should look into for their program. Do you have an appropriate set of policies and procedures in place and are they the same for company issued phones and BYOD phones? If not, why not. Do you have a data retention policy in place for messaging apps and their platforms and is it applied consistently (if at all)? Does your organization review business communications through messaging apps or does your organization even have the right to do so? Finally, are messages preserved somewhere?

Under the section entitled “Risk Management”, the DOJ poses a series of questions that every compliance program must answer. These questions include:

  • What are the consequences for employees who refuse the company access to company communications? Has the company ever exercised these rights?
  • Has the company disciplined employees who fail to comply with the policy or the requirement that they give the company access to these communications? Has the use of personal devices or messaging applications—including ephemeral messaging applications—impaired in any way the organization’s compliance program or its ability to conduct internal investigations or respond to requests from prosecutors or civil enforcement or regulatory agencies?
  • How does the organization manage security and exercise control over the communication channels used to conduct the organization’s affairs?
  • Is the organization’s approach to permitting and managing communication channels, including BYOD and messaging applications, reasonable in the context of the company’s business needs and risk profile?

This  final section might as well have been named ‘consequence management’ but I guess that moniker was already taken. Here the DOJ wants to know what consequences recalcitrant  employees faced for failure to follow the appropriate  policies and procedures.  Moreover, did any employee actions around messaging apps hinder or block internal investigations or regulators queries or attendant responses?  Next, is an appropriate level of internal security being exercised for such communications? Finally, are the company’s action reasonable in the context of its business needs and risk management protocol?

Obviously, there is quite a bit in these three sections every compliance professional will have to consider. But the framework already exists which you can adapt. It is risk assessmentrisk management strategyongoing monitoringongoing improvement. It may take some work but your blueprint to handle these requirements exists.

Join us tomorrow when we conclude our review of the 2023 ECCP.

Categories
Everything Compliance - Shout Outs and Rants

Episode 114 – Shout Outs and Rants

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. Everything Compliance has been honored by W3 as the top podcast talk show. In this episode, we have the quartet of Tom Fox, Jonathan Marks, Matt Kelly, and special guest Scott Garland from Affiliated Monitors for our fan fav Shout Outs and Rants edition.

  1. Matt Kelly has a dual rant. He shouts out to the PCAOB for reminding folks that cryptocurrency ‘reserve reports’ are not worth the paper they are printed on. He rants about crypto being a big circular whackadoo.
  2. Jonathan Marks shouts out to the US House of Representatives for overwhelmingly voting to investigate the origins of Covid-19.
  3. Tom Fox looks rants about the Tennessee legislature’s attempt to ban Shakespeare, movies such as Tootie and Some Like It Hot, and politicians such as George Santos, all in the guise of banning drag shows.
  4. Special Guest Scott Garland shouts out to the Department of Justice for their continued evolution in their thinking about compliance and compliance programs.
Categories
Daily Compliance News

March 14, 2023 – The $27bn In Corruption Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition of Daily Compliance News:

·       Qatar alleged to have spied on Swiss FIFA prosecutor. (Times of Israel)

·       $27bn tax and corruption scandal in Indonesia. (TheStraitsTimes)

·       South African corruption watchdog to clear President Ramaphosa. (NYT)

·       Coal company receives declination. (FCPA Blog)

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for Business Ventures – Pre-acquisition Risk Assessment

One of the clearest themes from the original 2012 FCPA Resource Guide was the importance of your pre-acquisition work in any M&A on a target company. In the section on Declinations, the 2012 FCPA Resource Guide provided an example of a company that had received a declination in large part because of its pre-acquisition work, which then served as a basis for its post-acquisition remediation. I find it appropriate to think of the process as a straight line, directly from the pre-acquisition phase to closing and then to remediation, integration, and self-reporting in the post-acquisition phase. These same concepts were brought forward in the 2020 FCPA Resource Guide, 2nd edition.

It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst-case scenarios. A pre-acquisition risk assessment could also be used as a mechanism through which to view the feasibility of the business strategy and help to value the potential target.

The pre-acquisition risk assessment can be critical in any M&A work for compliance. Use this opportunity to see where the target might stand on compliance. Your risk assessment can evolve as you obtain greater information. Finally, use this pre-acquisition risk assessment as a base document to plan, resource, and budget for your post-acquisition remediation, integration, and reporting.

Three key takeaways: 

  1. One never has enough time to engage in all the pre-acquisition reviews you might want to do, so optimize your time and resources.
  2. Consider what you can review to put together a preliminary risk assessment on the target.
  3. As with most compliance initiatives, you are only limited by your imagination, so if you are limited in time and scope, try something new and different.
Categories
Blog

The Week That Was in Compliance – The ECCP: Part 2 – Consequence Management

In addition to the speeches presented at the ABA’s 38th Annual National Institute on White Collar Crime, by Deputy Attorney General Lisa Monaco (2023 Monaco Speech) and Assistant Attorney General Kenneth A. Polite (Polite Speech); there was the release of the 2023 U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs (ECCP). Today we review another new addition to the ECCP, that being ‘consequence management’. This certainly includes clawbacks but there is also other language which compliance professionals will need to incorporate into their compliance program beyond clawbacks.

The Department of Justice (DOJ) has been talking about clawbacks for some time now. However, the revised language of the ECCP puts more rigor around what the DOJ is now mandating. This section begins by noting that financial penalties as well as financial incentives can influence employee behavior and that prosecutors are now required to consider both aspects. It states:

“By way of example, prosecutors may consider whether a company has publicized disciplinary actions internally, where appropriate and possible, which can have valuable deterrent effects. Prosecutors may also consider whether a company is tracking data relating to disciplinary actions to measure effectiveness of the investigation and consequence management functions. This can include monitoring the number of compliance-related allegations that are substantiated, the average (and outlier) times to complete a compliance investigation, and the effectiveness and consistency of disciplinary measures across the levels, geographies, units or departments of an organization…Some companies have also enforced contract provisions that permit the company to recoup previously awarded compensation if the recipient of such compensation is found to have engaged in or to be otherwise responsible for corporate wrongdoing. Finally, prosecutors may consider whether provisions for recoupment or reduction of compensation due to compliance violations or misconduct are maintained and enforced in accordance with company policy and applicable laws…Compensation structures that clearly and effectively impose financial penalties for misconduct can deter risky behavior and foster a culture of compliance.”

Clawbacks

With the Pilot Program and other announcements in the Monaco and Polite speeches, the DOJ has made clear that companies need to seek to recover amounts paid out to executives which were illegally received as corporate compensation. This could include both salary, stock options or similar payments or discretionary bonuses. Regarding your corporate clawback protocol itself, the ECCP poses the following questions:

  • What percentage of executive compensation is structured to encourage enduring ethical business objectives?
  • Are the terms of bonus and deferred compensation subject to cancellation or recoupment, to the extent available under applicable law, in the event that non-compliant or unethical behavior is exposed before or after the award was issued?
  • Does the company have a policy for recouping compensation that has been paid, where there has been misconduct?
  • Have there been specific examples of actions taken (e.g., promotions or awards denied, compensation recouped or deferred compensation cancelled) as a result of compliance and ethics considerations?

All of this means every compliance program will need to analyze each of these components as set out. It will also require a review of executive contracts to determine if there are clawback provisions set out in each employment contract. If there are no such provisions, they will need to be inserted. Finally, what “specific examples of actions taken” does a company have to show to the DOJ should they come knocking?

Consequence Management

The DOJ also mandated that compliance programs take a deeper dive into their entire financial incentive program; both incentives and dis-incentives. While not previously discussed in speeches, these new requirements seem to flow from the general statements made by both Monaco and Polite over the past year. In this area, the ECCP mandates the following inquiries:

  • How has the company ensured effective consequence management of compliance violations in practice?
  • What insights can be taken from the management of a company’s hotline that provide indicia of its compliance culture or its management of hotline reports?
  • How do the substantiation rates compare for similar types of reported wrongdoing across the company (i.e. between two or more different states, countries, or departments) or compared to similarly situated companies, if known?
  • Has the company undertaken a root cause analysis into areas where certain conduct is comparatively over or under reported?
  • What is the average time for completion of investigations into hotline reports and how are investigations that are addressed inconsistently managed by the responsible department?
  • What percentage of the compensation awarded to executives who have been found to have engaged in wrongdoing has been subject to cancellation or recoupment for ethical violations?
  • Taking into account the relevant laws and local circumstances governing the relevant parts of a compensation scheme, how has the organization sought to enforce breaches of compliance or penalize ethical lapses?
  • How much compensation has in fact been impacted (either positively or negatively) on account of compliance-related activities?

Obviously, there is some overlap with the clawback language but there is quite a bit new in these questions. The DOJ ties hotline and speak up reports directly to a company’s culture of compliance. This is almost a direct tie back to the findings of Kyle Welch in his seminal work on a speak up culture. But the DOJ goes on to ask about substantiation rates, closure rates, consistent and fair application of discipline (and rewards when called for) and root cause analysis; which are not simply technical aspects of compliance programs but are concrete steps companies can implement to engender trust with employees that their concerns will be taken seriously and then acted upon when they are raised. Once again, as with clawbacks, these are levels of analysis that many compliance programs have not yet taken but are now required to do so.

Join us tomorrow when we consider messaging apps under the revised ECCP.

Categories
Daily Compliance News

March 11, 2023 – The Settlement Ditched Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition of Daily Compliance News:

  • JPMorgan sues former exec Jes Staley for Epstein connections. (WSJ)
  • DOJ against USSG changes. (Reuters)
  • Whistleblowers ditch settlement with Texas AG. (Houston Chronicle)
  • Swiss bankers indicted for AML violations. (ICIJ)
Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 1

What happens when two top compliance commentators get together? They talk compliance, of course. Join Kristy Grant-Hart and Tom Fox for their new podcast, 2 Gurus Talk Compliance! But it is not simply Kristy and Tom talking about compliance. In this podcast series, Kristy and Tom also review other top commentators in compliance. In this podcast, we will consider all things compliance, corporate ethics, ESG, governance, and whatever else is on our minds and the minds of other experts in the field. Kristy and Tom explore all of these topics with expertise and wit.

In this inaugural episode, they discuss the latest compliance trends and news, including two Supreme Court cases that have implications for the compliance profession. They also cover the Department of Justice and whistleblower trends, taking a look at Miranda and Upjohn’s warnings and increasing numbers of whistleblower reports to the SEC. They also dive into an article from the Harvard Law School Forum on corporate governance and discuss the Illinois Biometric law. Join the conversation and discover the latest on compliance and regulations with 2 Gurus Talk Compliance.

Highlights Include

The Role of In-House Attorneys in Communication Between Outside Counsel and Businesses [00:05:17]

Supreme Court Decision on the Future of the CFPB [00:09:11]

Impact of the Colorado Draft Regulation on Artificial Intelligence Compliance Programs [00:13:23]

The Benefits of Automated Data Deletion [00:17:23]

A Miranda component to corporate Upjohn Warnings [00:21:25]

The Obligation of Society to Address Climate Change [00:25:33]

The Benefits of Self-Disclosure in the DOJ Justice System [00:29:18]

The Role of the Board in Overseeing Third Parties in High-Risk Countries [00:33:14]

The Impact of Whistleblowers on the SEC [00:40:54]

White Castle’s Violation of Illinois Biometric Law [00:45:05]

Notable Quotes

  1. The DOJ is urging a federal judge to sanction Google’s parent, Alphabet, for its practice of setting employee chats to auto delete despite promising to preserve records.”
  2. “It goes beyond the specifics of this law, something you and I have talked about for several years now, that the compliance function and the CCO is well perhaps the most well-suited corporate discipline to deal with these new initiatives because it’s the basic framework of compliance that you and I have worked with for 15 years.”
  3. “Most compliance programs just don’t have good frameworks for things like AI or for big data even though we’ve been using that word for a long time.”

Resources

  1. Boards and 3rd Party Risk Oversight
  2. CO Draft AI Rules for Insurance
  3. Miranda Warnings in Corp Investigation
  4. Current whistleblowing landscape
  5. Has the stature of the CCO changed? 
  6. Analysis of the DOJ’s update to the self-disclosure program
  7. Supreme Court considering defunding the CFTC
  8. Trends in state privacy law   
  9. Litigation holds and records retention/Google/DOJ  
  10. Individuals charged – first enforcement action 2023 

Connect with Kristy Grant-Hart on LinkedIn

Spark Consulting

Connect with Tom Fox on Linkedin

Categories
Daily Compliance News

March 10, 2023 – The Convicted Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition of Daily Compliance News:

Categories
Blog

The Week That Was in Compliance – The ECCP: Part 1 – Incentives

In addition to the speeches presented at the ABA’s 38th Annual National Institute on White Collar Crime, by Deputy Attorney General Lisa Monaco (2023 Monaco Speech) and Assistant Attorney General Kenneth A. Polite (Polite Speech); there was the release of the 2023 U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs (ECCP). Today we will begin a multi-part review of this document by considering financial incentives.

This section begins with a new introduction which makes clear the seriousness in which the Department of Justice (DOJ) views incentives, both financial and other types of incentives. The ECCP states, “The design and implementation of compensation schemes play an important role in fostering a compliance culture. Prosecutors may consider whether a company has incentivized compliance by designing compensation systems that defer or escrow certain compensation tied to conduct consistent with company values and policies. Some companies have also enforced contract provisions that permit the company to recoup previously awarded compensation if the recipient of such compensation is found to have engaged in or to be otherwise responsible for corporate wrongdoing. Finally, prosecutors may consider whether provisions for recoupment or reduction of compensation due to compliance violations or misconduct are maintained and enforced in accordance with company policy and applicable laws. Compensation structures that clearly and effectively impose financial penalties for misconduct can deter risky behavior and foster a culture of compliance.”

However, the DOJ reiterated that “providing positive incentives, such as promotions, rewards, and bonuses for improving and developing a compliance program or demonstrating ethical leadership, can drive compliance. Prosecutors should examine whether a company has made working on compliance a means of career advancement, offered opportunities for managers and employees to serve as a compliance “champion”, or made compliance a significant metric for management bonuses. In evaluating whether the compensation and consequence management schemes are indicative of a positive compliance culture.”

Neither of these concepts for incentives are new. Financial incentives were a part of the original 10 Hallmarks of an Effective Compliance Program, as delineated in the 2012 edition of the FCPA Resource Guide. It was brought forward in the 2020 2nd edition. Promotions, rewards and bonuses were also discussed in both of those documents as well as other DOJ pronouncements and formulations over the years. However, this is the first time the DOJ has specifically spelled out the role of the ‘compliance champion’ as both an indicia of a best practices compliance program as well as a mechanism to demonstrate a ‘positive compliance culture.’

The ECCP also added a new section on financial incentives which directs prosecutors to specifically evaluate how a company designs and applies financial incentives. It states:

Incentive System – Has the company considered the implications of its incentives and rewards on compliance? How does the company incentivize compliance and ethical behavior? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethicsconsiderations? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel?

Rephrasing these questions, a compliance professional might consider them in the following manner:

  1. How does the company incentivize compliance and ethical behavior?
  2. Has the company considered the implications of its incentives and rewards on compliance?
  3. Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel?
  4. Have there been specific examples of actions taken (g., promotions or awards denied) as a result ofcompliance and ethics considerations?

These four questions basically breakdown into the following continuum: (1) Assessment, (2) Analysis, (3) Implementation; and (4) Monitoring.

Incentive program assessment. Here you need to review your corporate incentive program for all employees, most particularly the discretionary bonus program but also your non-financial incentives such as promotion. Is your bonus program only related to individual sales, division sales or other similar metric or overall company performance? You can begin with some questions suggested by the ECCP: What role does the compliance function have in designing and awarding financial incentives at senior levels of the organization? Has the company evaluated whether commercial targets are achievable if the business operates within a compliant and ethical manner?

If you do not have any component for doing business ethically and in compliance, your entire compliance program is probably falling short at this point. You should also see if this is a query for promotion and not simply does an employee.

Incentive program analysis. Here you need to see what perverse incentives may exist in your organization. Obviously if meeting your target numbers is the sole criteria, your program is once again falling short. On the promotion front, you need to analyze patterns of promotion to (1) see if any employees with ethical or compliance program violations have been promoted; and (2) also determine if employees are promoted simply for NOT have any ethical violations. This would lead to a review of whether or not promoted employees have been actively participated in improving or maintaining a culture of compliance. How does the company incentivize compliance and ethical behavior? What percentage of executive compensation is structured to encourage enduring ethical business objectives?

Incentive program implementation. After implementation of the incentive program, it must be monitored. The ECCP suggests an inquiry into the following area: Has the company considered the impact of its financial rewards and other incentives on compliance? Additionally, what role, if any, did the corporate compliance function have in advising on the bonus program or participating in setting the bonus and promotion structures?

Incentive program monitoring. Here there needs to be ongoing monitoring of the incentive program, including has the company ensured effective management of the incentive program? The ECCP suggests a review of how much compensation has in fact been impacted (either positively or negatively) on account of compliance-related activities?

Join me tomorrow where I take a deep dive into discipline or the new formulation, “consequence management.”